NPM Fails Worldwide With 'ERR! 418 I'm a Teapot' Error

Catalin Cimpanu, writing for BleepingComputer: Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of "ERR! 418 I'm a teapot" whenever they tried to update or install a new JavaScript/Node.js package. JavaScript developers from all over the world received the error, and not just in certain geographical regions. The bug did not affect all users, but only those behind a proxy server.

You gotta wonder

[Zephyn]

How many people saw that error message and thought to themselves, "This Internet of Things concept is getting way out of hand."

Re:

[Anonymous Coward]

The 418 code was an April 1st joke, it really should not be in the codebase of any serious web application...

Re:You gotta wonder

[Lunix Nutcase]

Well then good news. NPM isn’t a serious web application. It’s an amateur hour piece of software.

Re:You gotta wonder

[rahvin112]

Yet it's used directly by millions of people every day and with major applications. This is the problem with these hosted javascript scripts that people plug into their websites willy nilly. They are a shitshow where someone could gain access and plug malware into millions of websites and is a single point of failure. Not even going to touch the shitty programming parent alludes too. Anyone thinking of using this shit should pull copies and check it for security and code quality and host it on their own servers rather than just point to the script and load it dynamically.

But that would be hard and who cares if it's hard. Funny thing is we just went through this a couple months ago when one of these major scripts hosting went down and it disabled 1/4 of the internet. You'd think people would learn from that.

Re:

[devman]

You can also use subresource integrity.

Re:

[NicknameUnavailable]

Yet it's used directly by millions of people every day

Air is used by more and most of them are still fucking retarded.

Re:You gotta wonder

[Carewolf]

Well then good news. NPM isn’t a serious web application. It’s an amateur hour piece of software.

No it is obviously a teapot.

Re:

[FormOfActionBanana]

Don't be a doofus. It is unassigned. https://www.iana.org/assignmen... [iana.org]

Re:

[Medievalist]

RFC 2324 section 2.3.2 assigns error 418 as follows:

Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.

So as long as NPM is RFC2324 compliant, that's a perfectly cromulent error code. :)

Re:

[Lunix Nutcase]

It is a regrettably well spread misconception that publication as an
RFC provides some level of recognition. It does not, or at least not
any more than the publication in a regular journal. In fact, each
RFC has a status, relative to its relation with the Internet
standardization process: Informational, Experimental, or Standards
Track (Proposed Standard, Draft Standard, Internet Standard), or
Historic. This status is reproduced on the first page of the RFC
itself, and is also documented in the periodic "Internet Official
Protocols Standards" RFC (STD 1).

https://tools.ietf.org/html/rf... [ietf.org]

Now let’s go to the I’m a Teapot RFC:

Status of this Memo

This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.

So basically you’re wrong as can be.

Re:

[Lunix Nutcase]

And the person is double fail since that RFC even states it’s not a “standard of any kind.”

Re:

[Lunix Nutcase]

No it’s not. Also it was part of a yearly joke RFC.

Re:

[kevingolding2001]

So I guess Google is not a serious web application then.

http://www.google.com/teapot [google.com]

Re:You gotta wonder

[arth1]

If you saw the error message, you used a command line interface with a proxy server, and thus were likely tech savvy. And then chances are you'd know about the 418 error code and RFC2324 [ietf.org]. It's 20 years old now, preceding IOT by quite a bit.

Re:

[DontBeAMoran]

It's nothing compared to "YouTube error 583, I'm a giraffe" [youtube.com], which has affected 1.2 million users.

Re:

[NicknameUnavailable]

No real nerds fail to understand the meaning behind error 418, but the beasts will never understand.

Re:

[q_e_t]

I presume it is a panic that alludes to Tim Brooke-Taylor in The Goodies.

Re:

[gweihir]

Better than "lp0 on fire", now that might wake a few people up. Unfortunately, AFAIK, there is no HTTP error code for that.

Re: You gotta wonder

[Z00L00K]

Because http wasn't invented when lp0 was created.

Re:

[gweihir]

HTTP could have been backwards compatible...

ERR! 418 I'm a Teapot

[Anonymous Coward]

Short and Stout!

Re:

[Oswald McWeany]

Short and Stout!

That's not a teapot, that's a beer glass.

Re:ERR! 418 I'm a Teapot

[syn3rg]

IMAO, a beer glass should never be short. The contents, however, may be stout.

Re:

[SuricouRaven]

You are not familiar with the classic British beer glass? It is short. It is also wide. They have largely disappeared from pubs these days, as they are expensive to replace and make excellent brawling weapons.

Re:ERR! 418 I'm a Teapot

[K. S. Kyosuke]

Short and /dev/stdout?

I'm too oldschool.

[jellomizer]

I like to download my Javascript Framework and have it linked to the internal web-server.
Just for the sake that I don't want an extra point of failure. (Like this) Then you have a to worry about if the bigger target site got hacked and altered the Node.js file to do some nasty stuff from the file.

Other then getting updates automatic. What is the point?

Re:I'm too oldschool.

[El Cubano]

I like to download my Javascript Framework and have it linked to the internal web-server.

That is not old school. It is the difference between being an amateur programmer and a professional software developer/engineer. To be clear, deploying anything meaninfgul into production based on drawing dependencies form a source which do not trust or directly control is an amateur move.

For anything more complex than school/hobby project, and for every professional project, I make it a point to ensure the stability and availability of the dependencies. In some cases that might be as simple as ensuring the libraries are available and suitable as is in the Linux distro package repo (I generally trust Debian, RHEL, and Suse for stuff like this). In the case where the packages are not available or they are only available from a potentially unreliable source (Fedora, NPM, CPAN, Maven central, RubyForge, etc.) I make sure to make a local copy (either stand up my own repository or incorporate the depednecny into source control directly). That way I can be assured that the dependency continues to be available to and working when I need.

Granted, doing that means that one accepts the burden/responsibility of keeping the depedency up to date and tracking the vendor/upstream security advisories. But then, that is why (good) software developers/engineers get paid well.

Re:I'm too oldschool.

[TheDarkMaster]

This. Oh boy, this. I'm fucking sick of seeing all these websites developed in this completely amateur way using javascripts files from several external sources to the site itself where each of them is a potential source of problems and security breaches, and this is not to mention the cases where these scripts call other scripts from other sites that in turn also call other scripts in a lunatic chain of operations to do things that should be contained within the original site.

Re:

[aaarrrgggh]

I love it. Makes it easier to block all the useless shit with noscript...

Re:

[jellomizer]

"But then, that is why (good) software developers/engineers get paid well."
Of course your bosses who get paid better will tell you to do it the stupid way, because they don't want to accept risk. They much rather see the customers not be able to work and have someone else to blame. Then have an overall higher update, but take blame when there is an issue.

Re:

[HiThere]

You make an interesting commentary on rust.

Re:

[jellomizer]

"I write my server side code in C" Leaving you programs open to buffer overflow and memory leaks.
"my CGI lib is fucking bulletproof since the functions are ancient and have been hammered on for decades" So it is relatively simple.
"I write my client side code in C and use Emscripten to compile my code to ASM.js " So you code a low level language and compile it to a high level language?
"Since I have a C complier targeting browsers this means I can use ANY FUCKING SOFTWARE I WANT on either the client or server

Re:

[K. S. Kyosuke]

I have found such developers who call themselves old school and do all this stuff, are just less likely to learn something new.

That will probably be important once "something new" appears. So far the software industry at large is catching up with computing infrastructure research of the 1980s.

Proving Once and for All

[Anonymous Coward]

It's never oolong before working in javascript stabs programmers right in the puer!

Re:

[BronsCon]

I tea what you did there.

Re:

[Spinlock_1977]

Do your research before anonymously flinging mud please. HTTP 418 is a legitimate error code: https://developer.mozilla.org/... [mozilla.org]

Re:

[Anonymous Coward]

It is a legitimate error code [ietf.org] only if the device is an actual teapot and was asked to brew coffee. That is not the case in this situation, and the error code is being misused.

Re:

[Anonymous Coward]

Do your research before anonymously flinging mud please. HTTP 418 is a legitimate error code: https://developer.mozilla.org/... [mozilla.org]

It is not legitimate at all. Check the official docs, not Mozilla's: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

Re:

[FormOfActionBanana]

It is unassigned, asshat. https://www.iana.org/assignmen... [iana.org]

Best 400 Error Code!

[Murdoch5]

418 is by far the best 400 code you can generate and it's hilarious!

Re:

[arth1]

and were suddenly silenced

No, that would be the 451 error code [ietf.org].

Re:

[SuricouRaven]

I've encountered the 451 code myself, when making a web crawler: It's the code that the ipfs.io gateway will return if you request from it an object which is on their blacklist of things they have received takedowns for.

That being IPFS though, it's trivial to just use another gateway.

Time for a change in leadership

[Anonymous Coward]

There was zero response (that I could see) from the NPM team until a maintainer locked the thread and chided commenters for repeating that they too were receiving the error. This is the third or fourth time there's been a major issue that screws people relying on npm, and if the team hasn't fixed the process by now, it might be good to find a different team that can.

Re:

[Galactic Dominator]

If NPM users haven't learned by now they can't rely on that infrastructure, then maybe it's time to review your process. Live by the upstream, die by the upstream. Therefore I host my own upstream.

Trivial Projects Require Frameworks

[Anonymous Coward]

It seems the more trivial the project, the more complex of a framework it requires.

"Project Bang, requires Kong, to Compile Throng, to make lint to compile druffle to enable truffle to fluffle the socksifer."

100s of Mbs of crap to compile some trivial program, sometimes even GBs of other crapware that will only be used once.

This is why snaps and containers are awesome, I don't pollute my system with crap, and I can remove it at the drop of a hat.

Whatever happened to "make"?

Then again, I just answered my own

Don't make tea in a coffee pot

[jfdavis668]

You wouldn't get that error if you made coffee. You can't make tea in a coffee pot!

Re:

[jfdavis668]

I think I got that backward. You can't make coffee in a tea pot.

yeah, I did that.

[Thud457]

You can't, but I bet Jim Holden can.

Re:

[HiThere]

Sure you can also make coffee in a teapot. You can either use instant, or add a raw egg to the grounds.

To be expected.

[Gravis Zero]

This what happens when you model your software after a house of cards.

Re:

[jfdavis668]

That's it, I'm writing my own OS, network stack, web server, database server, etc. I'll be up and running in about 20 years.

Re:

[OrangeTide]

That's my plan as well. I started my web server OS + compiler project in 1997, and I'm way behind.

(honestly NaviServer/AOLserver sort of filled my needs at the time and I never got around to doing my own project, even though it sounds amazing on paper. Then I discovered Inferno and realized my ideas weren't anything new)

P.S. Luvit [luvit.io] is a Lua-based NodeJS-like server and could probably be ported to run bare metal ESP32 or RPi. So for the crazy hyper-DIY coder that model might be feasible in only 5-10 years ins

Re:

[q_e_t]

I'm starting with emacs and will be done in three

Didn't NPM fuck up a while ago as well?

[wardrich86]

IIRC there was something wonky with their Github page a few months ago (maybe last year) that caused a bunch of trouble.

Re:

[HornWumpus]

Worked with a thumper back in DOS days.

I flashed her computer's bios. 'Adopt, retry, fail? Complete waste of time, but better than working.

Could be worse

[iTrawl]

Could have been: 419 I'm a Nigerian Prince.

Re:

[Tablizer]

I for one welcome our Nigerian teapot overlords.

Re:

[PPH]

Or ERR 420: Dude! What?

Re:

[q_e_t]

Dude where's my JavaScript?

Why?

[SuricouRaven]

Why does Javascript even need a repository? Between that, node.js and jquery, it's starting to look like someone has been reinventing the library stack with quickbasic at the foundation.

Re:

[q_e_t]

Shhh

Re:

[EETech1]

APK Hosts File Engine 2.0++ 64-bit for Linux

Link?

Not very stout

[Khyber]

But then again, NPM and maintainers aren't known for being the brightest bulbs, either. I can think of four other times they've fucked up just in recent memory.

Re:

[q_e_t]

And one proxy to bind them all?

Re:

[HornWumpus]

No, no, no. As OS written in Javascript...running on a hypervisor also written in Javascript...all of which have their code residing on random shares setup on game consoles.

Re:

[K. S. Kyosuke]

Replace "Java" with "Oberon" and you'll make me quite happy.